The hits, for the most part, have redirected browsers to Java, Adobe and Microsoft HCP related exploits. We are detecting this exploit content with a variety of names: Exploit.Java.CVE-2010-0840.a-f, Trojan-Downloader.Java.Openconnection.dt, Trojan.Win32.FakeWarn.d, Exploit.HTML.CVE-2010-1885.aj, Exploit.Script.Generic, Exploit.JS.Pdfka.cwm, Exploit.JS.Pdfka.dhm and more. At some point, our broader solutions kick in and just block connections with the web pages altogether. All are a part of the Blackhole Exploit kit.

Click to expand...

Unpatched and unprotected systems that are successfully exploited download a variety of malware, including FakeAv and the more serious TDSS rootkit, and the Papras and Zbot banking credential stealers.

Most of the redirections we have been been monitoring have sent users to a variety of servers in the .cc TLD.

Click to expand...

Even if many people would be protected against the exploits, if they were using ClearCloud DNS, access to those domains in the .cc TLD would be blocked.

ClearCloud DNS blocks access to ALL .cc TLD. * I need to verify something. I hope I'm not confusing with *.co.cc - Yes, it was my confusion... I associated .cc with co.cc (because the service is -http://www.co.cc). I apologize for the confusion.

By the way, I'm trying to find out which domains. Has anyone found a source mentioning them?

- you have DHCP enabled
- your browser searches for proxy configuration via proxy autodiscovery, doing that, they query wpad hostname for configuration file location. The file is - per RFC - called wpad.dat
- the domain name your IT added your machine to is appended to the lookup, so that you get wpad.example.com query
- your DNS has a wildcard DNS record that points to the moronic webhosting provider (mkay, wildcard records are bad... yet still commonplace *)
- the webhosting for whatever reason happily serves the same parking index page no matter what your try to GET - instead of proper 404 Not Found code

Malverts are probably one of the most common ways i've seen friends and family get infected with fake av and other trojans. My mom personally got malverts almost daily from a program called Paltalk on her computer that she used. Eventually I uninstalled the program and had her use Paltalk Express using Google Chrome which was much safer.

I personally pay and use ad muncher so i've really never run into malicious advertisements, but it just reaffirms my decision to block advertisements until web companies can work to make their revenue model safer and less intrusive.